Why Gramm-Leach-Bliley Act (GLBA) Compliance is More Important than Ever

The Gramm-Leach-Bliley Act (GLBA) enforces strict regulations to safeguard financial information. GLBA compliance is a critical requirement for financial institutions and industries managing sensitive consumer data in the U.S.

According to Perforce Delphix’s 2025 State of Data Compliance and Security Report, 11% of organizations identify GLBA as a key compliance obligation for their non-production environments, highlighting its continued importance in the financial services sector and beyond.

That's why in this blog, we explore the 2021 update to GLBA compliance requirements that took effect in December 2022, and what financial institutions and other covered entities need to do to ensure their data remains compliant today.

What is the Gramm-Leach-Bliley Act (GLBA)?

Back in 1999, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, opened new markets for financial institutions by allowing them to consolidate and offer any combination of investment banking, commercial banking, and insurance services to consumers.

Additional details on GLBA are available from the Federal Trade Commission.

Key Sections of GLBA

• The Financial Privacy Rule: Governs how private financial information is collected and disclosed.
• The Safeguards Rule: Outlines processes for securing consumer financial data against breaches and unauthorized access.
• The Pretexting Rule: Prohibits obtaining financial information through deception, ensuring consumer trust.

The GLBA also requires financial institutions to give customers written privacy policy notices that detail their information-sharing practices.

Why is GLBA Compliance Important?

Organizations in industries including financial services, insurance, and retail must ensure GLBA compliance due to its amended 2021 regulations, which introduced stricter requirements for protecting non-public consumer data. Non-compliance can lead to severe penalties and hefty fines (according to Forbes), including:

• Fines of up to $100,000 for institutions per violation.
• Fines of up to $10,000 and imprisonment for officers and directors.
• Damage to consumer trust and organizational reputation.

The stakes have never been higher. Our 2025 report revealed that 95% of organizations reported storing more sensitive data in non-production environments than the previous year. For financial institutions, this includes consumer financial information protected under GLBA such as account numbers, transaction histories, credit scores, and personal identifiers. All of this sensitive data exists across development, testing, and analytics systems.

Who Needs to Ensure GLBA Compliance?

Some examples of industries that must be in compliance with the GLBA include:

• Financial Institutions: Banks, credit unions, brokerage firms, credit reporting companies, and hedge funds.
• Insurance Providers: Companies safeguarding sensitive client data.
• Retailers: Businesses offering credit cards or financing options.
• Higher Education: Institutions receiving Title IV funds.

Why Industries Outside of Financial Services Need to Comply

A 2021 amendment to the Gramm-Leach-Bliley Act broadened the definition of financial institutions to encompass not only financial services and insurance, but also retail, higher education, and other industries that extend credit or loans. In addition to the existing regulations, stricter rules were put in place for protecting sensitive data.

GLBA Compliance Requirements

Since the December 9, 2022, deadline, organizations that process consumer financial data have been required to comply with specific data security practices outlined by the GLBA Safeguards Rule including:

• Periodic reports to boards of directors and governing bodies.
• Secure software development practices.
• Identify and manage data based on risk.
• Implement and review data access controls.
• Encrypt data both in transit and at rest.
• Establish secure procedures for disposing data.

GLBA may be one of many data privacy regulations your enterprise needs to comply with. 

⚖️ See an array of data privacy regulations and requirements at a glance >> Data Privacy Laws and Compliance: What You Need to Ensure Compliant Non-Production Data

How Perforce Delphix Makes GLBA Compliance Easier

Perforce Delphix Continuous Compliance gives organizations the tools they need to stay in full global compliance with GLBA, the 2021 amendments, and the revised Safeguards Rule.

Protecting your non-production data should be top of the list to get in compliance with GLBA, since non-production data stores used for test data management, reporting, and analytics contain up to 80% of an enterprise’s personal data, according to Delphix customers. These test environments can represent the single largest source of GLBA risk. Non-production data environments are 4-5 times larger than production and often much less secure. The 2025 report confirms that non-production environments house massive amounts of consumer financial data. 

Organizations maintain an average of 7–10 copies of each production dataset, meaning that consumer financial information protected under GLBA exists in dozens or even hundreds of database instances across your enterprise. These environments can represent your single largest source of GLBA risk — especially given that our report found that 60% of organizations have experienced data breaches in non-production in the past year. 

No Need to Trade Off Speed or Quality for Compliance

Financial services organizations typically reduce test data provisioning from days or weeks to minutes or hours after automating masking with Delphix. They also report 70-90% reductions in manual data handling for non‑production environments.

The result? Fast, compliant, high-quality data that financial services organizations can trust. 

Don't just take our word for it — get real-life examples from financial services organizations who rely on Delphix: 

UniSuper: Securing Sensitive Financial Data Without Slowing Development

As a global financial services organization, UniSuper needed to protect highly sensitive customer data while still enabling fast, efficient testing. By masking data and automating delivery to non‑production environments, UniSuper strengthened its compliance posture and significantly reduced the risk of exposing regulated financial information — an approach well aligned with GLBA requirements for safeguarding customer data.

And the best part? They ensured compliant data AND achieved a 70% improvement in development efficiency. 

▶️ Watch UniSuper's Testimonial

Morningstar Retirement: Enforcing Compliance While Scaling DevOps

Morningstar Retirement Fiduciary Services faced strict regulatory and audit requirements while supporting modern DevOps workflows. By replacing manual data provisioning with automated, masked test data, Morningstar reduced compliance risk, improved governance over sensitive financial information, and ensured development teams could work with secure data.

Like UniSuper, Morningstar achieved 70% faster times to provision data without sacrificing compliance.

📖 Read Morningstar's Story

Worldpay: Protecting Payment Data at Enterprise Scale

Handling large volumes of sensitive payment and customer data, Worldpay needed a way to minimize exposure risk without compromising software quality. By automatically masking financial data used in testing, Worldpay reduced compliance risk, improved control over non‑production environments, and supported safeguards for customer information at scale.

Worldpay too achieved 85% faster data delivery and reported higher software quality as a result. 

▶️ Watch Worldpay's Testimonial

Masking & Data Privacy for GLBA

The State of Data Compliance and Security Report found that 95% of organizations use static data masking to protect sensitive data in non-production environments, with 81% rating it as highly effective at preventing breaches. For organizations subject to GLBA, static data masking plays a critical role in meeting the Safeguards Rule by ensuring consumer financial data is irreversibly anonymized and protected from misuse outside of production systems.

Delphix Continuous Compliance is an API‑first data platform that enables security, compliance, and IT teams to automatically find, mask, and control sensitive data across development and testing environments. This supports consistent compliance with GLBA and other privacy regulations without slowing delivery.

Key Continuous Compliance capabilities include:

• Automated discovery of PII and other sensitive consumer data across databases, pipelines, and environments
• Irreversible static data masking that permanently desensitizes data so it cannot be reconstructed
• Preservation of referential integrity across databases, sources, and clouds to maintain application and test accuracy
• Centralized visibility into where GLBA‑regulated data exists in non‑production environments, supporting audit readiness and reporting

With Delphix, security teams can define enterprise‑level masking policies that specify what data must be protected, how it should be masked, and where those policies apply. These policies are then consistently enforced across all non‑production environments, eliminating manual effort and reducing the risk of gaps or misconfigurations.

By masking sensitive financial PII data directly in the development pipeline, Delphix removes the need to expunge or manually sanitize data in lower environments. Once masked, data is fully anonymized and cannot be traced back to an individual consumer, significantly reducing exposure while enabling teams to work with realistic, usable datasets.

Unlike traditional compliance solutions that take months to deploy, Delphix Continuous Compliance can be implemented in days, helping organizations reduce risk and achieve GLBA compliance faster—without disrupting development velocity. In fact, organizations using Delphix protect 77.2% more data and environments while continuing to innovate at speed.*

*IDC Business Value White Paper, sponsored by Delphix, by Perforce, The Business Value of Delphix, #US52560824, December 2024